Security researchers have uncovered a new breed of botnets which rely on the functionality offered by the Tor (The Onion Router) anonymity network.

A few days ago, at the DefCon Bangalore security conference – 17-year-old researcher Suriya Prakash presented his findings on how botnets are starting to rely more and more on Tor to hide their traces.

“They work like all other botnets, but are hidden behind the TOR network and run as a hidden service with .onion domains (many sites like WikiLeaks have mirror sites in the TOR network, or search engines like duckduckgo, and many other illegal sites that cannot exist in the public internet),” Suriya told Softpedia.

“You can set it up just like a normal web server but bind it to the port from which TOR hidden service is running and hence your botnet will run behind the TOR network and it will not be possible to trace the C&C server,” he added.

“The bots themselves should have an instance of TOR (because only computers in the TOR network can communicate with hidden services servers) and will communicate over the TOR network to send data and receive commands from the server.”

The expert highlighted the fact that such botnets could not be disrupted such as the classic ones by revoking domains, banning IP addresses or by requesting the host to take down the website.

“ICANN has no power over the TOR network and the .onion domains so it cannot be revoked as there is no ‘authority’ for it. The domains are randomly generated hashes by the network and a person cannot ‘request’ a certain domain to be assigned to them,” he explained.

“Also note that the only way to authenticate and prove to the network that the domain belongs to you is the RSA key. As long as you don’t reveal your ‘RSA private key’ nobody can use that domain.”

He claims that IP banning doesn’t work either because there are no actual IPs, and since the host of such a website cannot be traced, it is impossible to take it down.

“Since the host cannot be traced , they cannot be asked to take it down (also they are mostly run in a VPS and off the RAM so even if you find it and raid it, it would not be help as all data would only be stored using high level encryption),” the researcher noted.

“And even ‘IF’ taken down the botnet master needs to only have a copy of the ‘RSA private key’ and he can run it off a different server but with the SAME .onion domain and thus he will not lose control of his bots.”

Shortly after Suriya’s presentation at DefCon Bangalore, security firm GData revealed that it had found a botnet whose command and control (C&C) server – which used the IRC protocol – had been hidden inside Tor.

The researcher is currently trying to identify methods that could help disrupt the activities of such botnets.

Suriya’s presentation, containing a video which demonstrates how these bots send and receive commands over Tor, is available here.